Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | nginx: Don't hard-code the HPKP headers. | Guilhem Moulin | 2016-07-12 | 5 |
| | | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out. | |||
* | gencerts: exclude expired certs in the CRT queries. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 7 |
| | ||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 9 |
| | ||||
* | typo | Guilhem Moulin | 2016-06-15 | 1 |
| | ||||
* | crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates. | Guilhem Moulin | 2016-06-15 | 1 |
| | ||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 9 |
| | | | | To avoid new commits upon cert renewal. | |||
* | Renew cert for https://lists.fripost.org. | Guilhem Moulin | 2016-05-28 | 1 |
| | ||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 6 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | Restore the public part of Bacula's data encryption master key. | Guilhem Moulin | 2016-05-23 | 1 |
| | | | | | | Which was incorrectly removed at commit 8cf4032ecec5b9f58d829e89f231179170432539 | |||
* | Remove CAcert certificates. | Guilhem Moulin | 2016-05-22 | 2 |
| | | | | | We're now using the Let's Encrypt CA for our public internet-facing services. | |||
* | gencerts: improve formatting. | Guilhem Moulin | 2016-05-22 | 1 |
| | ||||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 9 |
| | ||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 6 |
| | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 6 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 8 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Renew imap.fripost.org:993 and smtp.fripost.org:587 X.509 certificates. | Guilhem Moulin | 2016-05-18 | 4 |
| | ||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 4 |
| | ||||
* | gencerts.sh: typo | Guilhem Moulin | 2016-03-28 | 1 |
| | ||||
* | gencerts.sh: improve formatting. | Guilhem Moulin | 2016-03-28 | 1 |
| | ||||
* | Replace LE's X1 intermediate CA with X3 since the latter has better support ↵ | Guilhem Moulin | 2016-03-28 | 1 |
| | | | | for XP. | |||
* | Reissue certs on civett and elefant since LE's X3 intermediate CA has better ↵ | Guilhem Moulin | 2016-03-27 | 5 |
| | | | | support for XP. | |||
* | Let's Encrypt: Only reload (as opposed to restart) postfix/nginx after ↵ | Guilhem Moulin | 2016-03-05 | 3 |
| | | | | renewing the cert | |||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 8 |
| | ||||
* | Improve gencert.sh | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 11 |
| | ||||
* | Change Postfix certs from ECDSA to RSA 4096. | Guilhem Moulin | 2015-12-03 | 4 |
| | ||||
* | wibble | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | Add script to automatically generate the fingerprint list. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | Add 'git.fripost.org' to the SSH known_hosts file. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 9 |
| | ||||
* | Add SSH host keys to git. | Guilhem Moulin | 2015-12-02 | 1 |
| | ||||
* | ‘benjamin.marxist.se’ → ‘benjamin.skangas.se’ | Guilhem Moulin | 2015-11-09 | 2 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 6 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Add X.509 certificates. | Guilhem Moulin | 2015-06-07 | 22 |